The first step in the procedure is to modify the session-manager element in the sun-web.xml configuration file. When doing so, you must, in addition, set the reapIntervalSeconds property to 1 second, as shown in the following example:

Setting reapIntervalSeconds to 1 second ensures that session data is not missed during session failover; that is, clustered instances are synchronized after restarting before new requests are accepted.

The timeout parameter can be configured by using the http-client-config ObjectType function in obj.conf as follows:

ObjectType fn="http-client-config" timeout="value"

This configuration parameter instructs the reverse proxy to close the connection to the origin server if the origin server does not respond to a request within the specified timeout period. Note that this parameter does not signify that the request has to be completed within the timeout period.

The exclude-escape-chars parameter can be configured by using the http-client-config ObjectType function in obj.conf as follows:

ObjectType fn="http-client-config" exclude-escape-chars="+%"

3.2.7 PID File Disappears in Red Hat Linux

The PID file disappears in the Red Hat Linux operating system and the sever cannot be stopped. To overcome this situation, change the temp-path value in the server.xml file to a location where the server user has exclusive rights, as shown in the following example:

<temp-path>/var/tmp/https-test-73d21d24</temp-path>

Another option to resolve this situation is to exclude the temp-directory in the tmpwatch program.

3.2.8 Token Name

The token name that is used for password-file option in wadm CLI must be in small letters, as shown in the following example.

wadm_internal

3.2.9 Using SMF on Solaris 10

It is recommended that if you choose to use SMF to control the administration server, you must make sure that you have to use SMF for managing all other instances as well. This will enable all instances to be controlled independently.

3.2.10 Problem with set-cookie Header

Starting from the 7.0.9 release, the set-cookie header value is being appended by ;HttpOnly due to a security reason. However, if you do not wish to append ;HttpOnly to the set-cookie header, use the following process:

Set the httponly-session-cookie property of the servlet-container element in server.xml configuration file to false:

A new property named httponly-session-cookie has been added to servlet-container element of the server.xml configuration file. By default, this property is true and ;HttpOnly will be appended to set-cookie header. When this flag is set to false, ;HttpOnly is not appended. You can set this property by using the set-servlet-container-prop CLI command or the Servlet Container page of the administration console.

3.2.11 Information About Securing a URI Using an Authentication Database

Note that Limit Queue Length is the limit on the maximum number of connections queued. This limit depends on the availability of file descriptors.

3.2.15 TLS Communication Through Certain Load Balancers Breaks in 7.0.13 and Later Releases

When you use certain load balancers, like F5 Networks' BIG-IP, to distribute client requests to Oracle iPlanet Web Server 7.0.13 (and later releases), TLS communication using CBC ciphers (such as TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA) breaks. BIG-IP and, possibly, other load balancers are unable to forward responses from the Oracle iPlanet Web Server instances to the clients.

The NSS version included in Oracle iPlanet Web Server release 7.0.13 (and later) implements split data packets. BIG-IP and some other load balancers might not be able to handle split data packets.

Workaround

Caution:

This workaround removes the fix introduced in release 7.0.13 for the CVE-2011-3389 security vulnerability.

Stop the server.

In the startserv script, set the environment variable NSS_SSL_CBC_RANDOM_IV to 0.

The startserv script is located in the instance_dir/bin directory. On Windows, for example, add the following line in the startserv script:

set NSS_SSL_CBC_RANDOM_IV=0

Start the server.

3.2.16 Search Collections Does Not Support PDF 9.0

A search collection indexes and stores information about documents (.html,.htm,.txt and.PDF)on the server. Once the server administrator indexes all or some of a server's documents, information such as title, creation date, and author is available for searching.

Note that PDF documents of version 9.0 or later versions are not supported for search collections.

3.2.17 Information about the htpasswd Command

The htpasswd command is used to generate or modify a password file suitable for use with the htaccess access control mechanism.

The htpasswd usage is as follows:

htpasswd [-c] passwordfileusername [password]

In this command, -c creates a new passwordfile (overwriting an old one if it exists). Without -c, the command modifies the existing file by either updating the user's password (if user already exists) or adding a new user with the given name. If the optional password argument is not specified, the command prompts interactively for the password.

Note:

htaccess is not the preferred access control mechanism in Web Server. Wherever possible, use ACLs instead.

When you are configuring the sticky load balancing, you must correctly identify the name of the session cookie as used by the backend server, and use the same as the value to the sticky-cookie parameter to the set-origin-server SAF. The default value of sticky-cookie is JSESSIONID. If the backend server is using a different sticky cookie name, the sticky-cookie parameter value should be set accordingly and not use the default name.

An irregular HTTP response from a backend server can force the Route subsystem to assume the backend to have gone 'bad' and mark the it as offline. For example, a backend server sending a response with a mismatching content-length. In such a case the sticky cookie load balancing can break.

The functionality to use the 'Referrer' header in an incoming request in the processing of an ACL is not built into the core functionality of the Web Server. The functionality is provided in one of the sample plugins that ship with the product:

With Oracle iPlanet Web Server 7.0, the samples are not installed by default. They have to be manually selected during the installation of the product. Do the following to install the NSAPI sample plugin:

Build the NSAPI sample plugin nsacl. The environment must be setup with a compiler in the following path:

On Oracle iPlanet Web Server 7.0.16 and earlier versions, the lasref.c file needs to be edited with the following change:

Change line 75 from

rq->request_is_cacheable &= ~NSAPICacheAccelSafe;

To

rq->request_is_cacheable = 0;

This issue has been addressed in Oracle iPlanet Web Server 7.0.17.

3.2.23 New Configuration Option to Get/Set Properties in the auth-db

A new configuration option, followreferrals, is added for the auth-db. This option applies for the LDAP auth-dbs and is set to true by default.

You can use the CLI get-ldap-authdb-prop and set-ldap-authdb-prop commands, or the Admin GUI pages, to get/set this configuration as needed. This option also applies for the LDAP auth-db used in the admin server.